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Abstract 

This paper studies the one-way communication complexity of the subgroup membership problem, a 
classical problem closely related to basic questions in quantum computing. Here Alice receives, as input, 
a subgroup // of a finite group G; Bob receives an element x £ G. Alice is permitted to send a single 
message to Bob, after which he must decide if his input x is an element of H. We prove the following 
upper bounds on the classical communication complexity of this problem in the bounded-error setting: 

1 . The problem can be solved with (9(log \G\) communication, provided the subgroup H is normal. 

2. The problem can be solved with (9(t/max • log \G\) communication, where c/max is the maximum of 
the dimensions of the irreducible complex representations of G. 

3. For any prime p not dividing |G|, the problem can be solved with (9(t/max • log p) communication, 
where t/max is the maximum of the dimensions of the irreducible Fp-representations of G. 

1 Introduction 

Background The power of quantum computing in various settings has been gradually clarified by many 
researchers: some problems can be solved on quantum computers much more efficiently than on classical 
computers, while others cannot. One computational model that has been extensively studied in this light 
is the communication complexity model. In particular, one-way communication is one of the simplest 
settings but it has rich connections to areas such as information theory, coding theory, on-line computing, 
and learning theory. Therefore, its quantum version has then been the target of intensive research HAarOSl 
IINRY07I IKla07[ lGKK+071 . 

Let / : X X F ^ {0, 1} be a Boolean function, where X and Y are arbitrary sets. The one-way commu- 
nication task associated to / is the following: Alice has an input x € X, Bob has an input y and the goal 
is for Bob to output f{x,y). The assumption here is that only one message can be sent, from Alice to Bob, 
and the communication cost of a protocol is the number of bits of this message on the worst-case input. We 
say that a protocol for / has completeness error e if it outputs 1 with probability at least 1 — £ whenever 
f{x,y) = 1, and soundness error 8 if it outputs with probability at least 1 — 5 whenever f{x,y) = 0. The 
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one-way classical bounded-error communication complexity of /, denoted by R^{f), is the minimum, over 
all protocols P for / with completeness and soundness error 1 /3, of the communication cost of P. The 
one-way quantum bounded-error communication complexity of /, denoted by Q^{f), is defined similarly, 
but a quantum message can be used this time from Alice to Bob, and the number of qubits of the message is 
considered (in this paper we suppose that there is no prior entanglement and no shared randomness between 
Alice and Bob). Obviously for any function /, the relation Q^{f) < R^{f) < riog2 1^11 holds. 

One of the main open problems in quantum communication complexity is to understand how large the 
gap between and can be. For partial functions (functions restricted to some domain R C X xY 
or, equivalently, functions with a promise on their inputs), an exponential separation between these two 
quantities has been shown recently in llGKK"'"07ll . However the situation for total functions is far less clear: 
the largest gap known is an asymptotic factor of 2 IIWin04ll . 

In the exact setting, i.e., the setting where no error and no giving up are allowed, the quantum and 
classical one-way communication complexities are known to be the same for any total function IIKla07ll . In 
the unbounded-error setting, i.e., the setting where any error probability less than 1/2 is allowed, it is known 
that the gap is exactly a factor 2 for both partial and total functions IIINRY07il . Although bounded-error is 
a notion between the exact and unbounded-error, we stress that the bounded-error setting usually behaves 
quite differently from the other two in the case of total functions, e.g., for two-way communication there is a 
quadratic gap in the bounded-error setting IIKS921 IAA05I whereas in the exact setting no gap is known and, 
in the unbounded-error setting, the gap is again exactly a factor 2 liINRY07il . 

Note also that for total functions in the bounded-error setting, quadratic gaps are known in the two-way 
model IIKS92[ IAA05II and exponential gaps are known in the simultaneous message-passing model IINS961 
IBCWdWOTl : and these models are respectively stronger and weaker than the one-way model. Thus, 
whether a superlinear gap between R^ and can be achieved for some total function is an intriguing 
question. 



The subgroup membership function Many of the problems for which quantum computation is more 
powerful than classical computation have group-theoretic structure. In particular, Watrous MWatOOl has used 
the subgroup membership problem (as a computational problem) to separate the complexity classes MA and 
QMA relative to an oracle. Inspired by Watrous's work llWatOOII . we propose the subgroup membership 
function as a candidate to show a superlinear gap between R^ and Q^. Let G be any finite group, and let Jifc 
denote the set of subgroups of G. Then the subgroup membership function for G, denoted by MEMBg, is 
the function with domain J^c x G such that 



MEMB G{H,y) 



1 if y£H 
ify^H. 



For any group G, the upper bound \Mg\ < 2('°§2l'^l)^ follows easily from the fact that any subgroup of 
G is generated by at most log2|G| elementsQ Furthermore, there exist families of groups G such that 
I J^l = 2"((i°gl'^l)'): for example, the abelian groups G = with r > 1. Thus there exist groups G for which 
the "trivial protocol," wherein Alice simply sends Bob the name of her subgroup, requires 0((log|G|)^) 
communication. The one-way classical communication complexity of the function MEMBg was previously 
considered by Miltersen et al. [MNSW98J, who showed that for the family of groups G = 1^2, any one-way 
protocol with perfect soundness and completeness error 1 /2 requires n((log |G|)^)-bit communication. For 
certain groups G, we conjecture that n((log |G|)^)-bit communication is needed even if the completeness 
and soundness errors are both 1/3. 



'Borovik, Pyber, and Shalev IBPS96I have improved this naive bound to |G|('/'*+''(^))'°S2|G| 
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On the other hand, there is a simple quantum one-way protocol, using 0(log |G|)-bit communication, 
by which Bob can compute MEMBg with perfect completeness and constant soundness for any group G. 
In this protocol — inspired by BWatOOl — ^Alice sends the quantum state \H) = \H\^^l'^Y.heH \^)- Bob then 
creates the state -^{\H)\0) + \yH)\\)) where \yH) = \H\^'^l'^Y.heH b^^), applies a Hadamard gate on the last 
register, and measures it in the basis {|0), 1 1)} to decide which of \H) = \yH) and {H\yH) = holds. 

Thus, proving that there exists a family of groups G such that 7?' (MEMBf;) = n((log |G|)^) would lead 
to a quadratic separation between and for a total function. In other words, a major objective has been 
to prove a 2-sided-error version of the lower bound by Miltersen et al. [ MNSW98 I mentioned above. Apart 
from the goal of proving a separation between and Q^, we believe that the communication complexity of 
deciding subgroup membership is interesting in itself, since the latter is a key task in most group-theoretic 
computational problems. 

Overview of our results In this paper we present three upper bounds on the one-way classical communi- 
cation complexity of the subgroup membership function: 

• We give a classical protocol using [log2 |G|]-bit communication, with perfect completeness and con- 
stant soundness, for the subgroup membership function in the case where Alice's subgroup H is 
normal. This suggests that in order to obtain a separation between and using the subgroup 
membership problem, one must consider groups with many nonnormal subgroups. We also present a 
lower bound which is tight for some families of groups. Notice that this situation appears to be similar 
to the status of the Hidden Subgroup Problem: there exists an efficient quantum algorithm solving the 
problem in the case where the hidden subgroup is normal | HRTS 03 | ; without the normality condition, 
however, very little is known. Our results rely on the theory of characters of finite groups and espe- 
cially on the connection between kernels of irreducible characters and normal subgroups, as did the 
algorithms of IIHRTS03L 

• Let phe a prime not dividing \G\. Then we show that /?^(MEMBg) = 0{dmax 'log/?), where dm^x 
is the maximum dimension of an irreducible Fp -representation of G. This result uses a beautiful 
characterization of the subspaces of the group algebra ¥p[G] stabilized by H. We remark that for any 
group G of exponent m (which is to say that = 1 for all g G G), we have dj^ax < '^maxOi'dm(p), 
where d^^x the maximum dimension of a complex irreducible representation of G and ordm(/j) is 
the order of p in the multiplicative group of the integers relatively prime to m. In particular, as 
there is always a prime p of size 0(log |G|) relatively prime to |G|, this protocol has complexity no 
more than 0{d^ax " ' log log \G\)- 

• Finally, we show that R^ (MEMBg) = 0{d^ax ' log \G\), where d^^x the maximum dimension of an 
irreducible complex representation of G. This upper bound is obtained by a protocol that mirrors the 
technique utilized in the modular case by suitably discretizing the vector space and controlling 
"geometric expansion" around invariant spaces. One corollary is that any family of groups with 
an abelian subgroup of constant index has a protocol with complexity C?(log|G|). In particular, for 
groups such as G = Z2 >< Zj, the action of Z2 on being to reverse the order of the coordinates, we 
have/?i(MEMBG) = 0(log|G|). 

These results suggest a nontrivial connection between the representation theory of the group G and the 
subgroup membership problem, and provide natural candidates for which a superlinear separation between 
/?'(MEMBg) and 2^(MEMBg) may be obtained: groups with large irreducible representations and many 
nonnormal subgroups, e.g., the symmetric group. 
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2 Preliminaries 



We assume the reader is familiar with basic concepts of group theory. Here we introduce some notions 
from representation theory that we will need. In this paper, G always denotes a finite group and 1 denotes 
its identity element. 

Group representations Let F be a field whose characteristic does not divide the order of G (so the char- 
acteristic of F could be zero). An ¥ -representation p of G is a homomorphism from G to GL{V), the group 
of invertible linear transformations over a vector space V (over the field F). The dimension of p is the 
dimension of V. We say that a representation p : G ^ GL(Vp) is irreducible if the only subspaces of Vp 
simultaneously fixed by the entire family of linear operators p{g) are the trivial ones: {0} and Vp. 
The group algebra ¥[G] is the F-algebra of formal sums 

geG 

with coordinatewise addition and multiplication defined by linearly extending the rule eg - en = egh- Note 
that F[G] has dimension |G| as a vector space over F. The natural action of G on the group algebra defines 
the regular representation: the action of a; G G on a vector v = Y^geG^g ' ^g ¥[G] is denoted by xy and 
defined as 

XW = Cig- £xg ■ 

geG 

Now, if // is a subgroup of G, let 

/// = {v G F[G] \ hy = y for all h<^H] 

be the subspace of //-invariant vectors of F[G]. It is easy to check that a vector v lies in In if and only if v is 
constant on each left coset of H in G. Let ^g:// be the set of right cosets of H in G. The vectors vs = Lges ^g 
for S G yc-.H form a basis of lu and thus 

dim/// = [G : //] , 

where [G :H\ = \,9'g:h\ = \G\/\H\ denotes the index of H in G. 

A theorem of Maschke's (see, e.g., [CR061 [Ser77l ) asserts that F[G] is semi-simple, i.e., F[G] can be 
written as the direct sum of a family of irreducible representations. In this case, a theorem of Wedder- 
bum's IISer771 ICR06I asserts that each irreducible representation appears with multiplicity equal to its di- 
mension: 

peIrr(G,F) 

where Irr(G,F) denotes the set of (representatives of) all the irreducible F-representations p: G ^ GL(Vp) 
and dp denotes the dimension of p. If ///(p) is the subspace of Vp pointwise fixed by H, we see that 

peIn-(G,F) 

and conclude that 

£ dpdimlH{p) = [G:H]. (1) 

peIn{G,¥) 
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Complex characters Let F be the complex field C. For any C-representation p of G, the character of p is 
the function X-G—>-C such that x{g) = ti"(p (g)) for any g £ G, where tr denotes the trace. Characters are 
conjugacy class functions: the relation xiss's^^) = Xis') holds for any two elements g,g' of G. Moreover, 
the value x{^) is the dimension of the representation p. The kernel of x, denoted by ker(;^), is defined as 
ker(;i^) ={g e G\ x{g) = xW}- It is easy to see that ker(;|^) is a subgroup of G. 

A character is said to be irreducible if it is the character of an irreducible representation. Denote by 
Char(G) the set of irreducible (complex) characters of G. The relation T,xeChar{G)[x{^)V — 1^1 is well- 
known and imphes the inequahty |Char(G)| < Let // be a normal subgroup of G. Denote 

A// = {ZGChar(G)|//<ker(;^:)}. 

Then the relation 

£ [x[l)f = [G:H] (2) 

holds (see, e.g., Illsa76ll ). 

3 Normal subgroups 

In this section we give an efficient classical protocol computing the subgroup membership function in the 
special case where Alice's subgroup H is normal. Our protocol is actually more general: we show that one 
can decide efficiently membership in the normal closure of H, denoted by H (the smallest normal subgroup 
of G containing H). 

The protocol testing normal closure membership, denoted by NORM(G), is as follows. 

Protocol NORM(G) 

Alice's input: a subgroup H G J^g- 
Bob's input: an element j G G. 
Bob's output: z g {0, 1}. 

1 Alice chooses a random element /i of Ag- with probability [/i(l)]^|//|/|G|; 

2 Alice sends the name of /i to Bob; 

3 Bob outputs 1 if = /i(l) and outputs otherwise. 

Observe that by equation ([2]), the weights of Step 1 do indeed determine a probability distribution. Notice 
that IAtjI < |G| since A^^ C Char(G) and |Char(G)| < |G|. Thus Protocol NORM(G) can be implemented 
using [log2 |G|] bits of communication. We now show the correctness of this protocol. 

Proposition 1. On any input {H,y), Protocol NORM(G) outputs 1 with probability 1 ify G H, and outputs 
with probability at least 1 /2 ify ^ H. 

Proof. IfyGH, then for any element n in A^ the equality = holds. Then Bob always outputs 1. 
Protocol NORM(G) has thus perfect completeness. 

Now suppose that y ^ H. Denote B = {x € Ajj \x{y) = Z(l)}- The error probability of the protocol is 
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To conclude our proof, we now prove that 



< 



Let K denote the normal closure of the set H U {3^} in G. Remember that the normal closure of a set 5 C G is 
the smallest normal subgroup of G including S, and can be defined explicitly as the subgroup of G generated 
by all the elements gzg^^ for ^ G G and z G S. Since y the subgroup // is a proper subgroup of K. In 
particular > 2. We now claim that B = Ak- Then Equation ^ implies that 

xeB x^^K ^1^1 

The proof of the claim follows. First suppose that x is an element of A;^. Then = x{^) thus % ^B. 
Now suppose that % is an element of B. Then H U {y} C ker(;^). From the basic properties of characters, 
we conclude that K C ker(;^) and thus % G K^. □ 

Given a finite group G, let be the set of normal subgroups of G. Since for a normal subgroup H of 
G we have // = //, we conclude that Protocol NORM(G) solves the restriction of MEMBg to the domain 
M'q X G (notice that this is still a total function). 

Theorem 1. For any finite group G, the restriction of MEMBq to the domain M'q x G can be computed 
with perfect completeness and soundness error 1 /2 by communicating at most [logj |G|] bits. 

We now show a simple lower bound on the communication complexity of MEMBg. We first recall the 
definition of the VC-dimension of a set of functions IIVC71L 

Definition 1. Let T,be a set of Boolean functions over a finite domain Y. We say that aset S QY is shattered 
by £ if for every subset /? C 5 there exists a function Or C £ such that \/y £ S,{<Jr (y) = 1 if and only ify G R). 
The largest size of set S over all S shattered by £ is the VC-dimension ofL, denoted by VC{L). 

We say that a subset 5 of a finite group G is an independent subset of G if, for each g G 5, element 
g cannot be written as any product of elements of We denote by 7(G) the maximal size of an 

independent subset of G. Notice that, for any finite group G, the inequality 7(G) < logj |G| holds. We now 
state our lower bound. 

Proposition 2. {MEMBq) = Q.{y{G)). In particular, the family of groups G = TU^for r > 1 satisfies 
Q}(MEMBG)=^i]-0%\G\). 

Proof. For each subgroup H G define the function : G ^ {0, 1} as ///(y) = MEMBg for every 
3; G G. Denote £ = {/// 1 // G JTg}. A result by Klauck IIKla07ll shows that Q} (MEMBg) > (1 - /j(1/3)) • 
VC(r), where h is the binary entropy function. 

Let gi , . . . ■,gy{G) distinct elements of G such that S = {gi ,gy(G)} is a subset of independent el- 
ements of G. The subset 5 C G is shattered by £ since it is easy to show that, for any subset /? C 5, the 
function /^^^ is such that \/y G 5,/^^) (j) = 1 if and only if y £ R (here (R) denotes the subgroup generated 
by the elements in R). Then VC{L) > 7(G) and 2^ (MEMBg) > (1 -/i(l/3)) • 7(G). 

The second part of the proposition follows from the observation that each group Z2 is also a vector space 
of dimension r over the finite field Z2 and, thus, 7(^0 = r = log2(|Z2|). □ 

Proposition |2] shows that, for the family of groups G = Zj, Protocol NORM(G) is optimal up to a 
constant factor. 
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4 Algorithms for groups with small modular representations 



In this section we present a protocol computing the group membership function for groups with small mod- 
ular representations. Let be a finite field with characteristic p not dividing |G|. Our protocol, denoted by 
MOD-REP(G,F,J, is the following. 

Protocol MOD-REP(G,F^) 

Alice's input: a subgroup H G Mg- 
Bob's input: an element y eG. 
Bob's output: z g {0, 1}. 

1 Alice chooses a representation p : G —>■ GL(Vp) in Irr(G,F^) with probability '^'^ ; 

2 Alice chooses a random vector v G ///(p) C Vp; 

3 Alice sends the name of p and the vector v to Bob; 

4 Bob outputs 1 if p(3')v = v and outputs otherwise. 

Observe that by equation ([T]), the weights of Step 1 do indeed determine a probability distribution. 
We now show the correctness of this protocol. 

Theorem 2. Let G be a finite group and ¥q be a finite field of characteristic p not dividing \G\. Protocol 
MOD-REP(G,F^) computes MEMBq with perfect completeness and constant soundness error Its commu- 
nication complexity is at most \\0g2 +dmax ■ riog2^1 bits, where dmax is the maximum dimension of an 
irreducible ¥ q-representation ofG. 

Proof. Note that the protocol is clearly complete: if j G //, then Bob always accepts. 

To establish soundness, let j ^ // and define K = {H,y), the smallest subgroup containing both H and y. 
Remember that Ik{p) denotes the subspace of Vp pointwise fixed by K. We see that 



dim/^(p) 



y\H\dpdimlK{p) _\H\ _ 1 1 
p \G\ ~ Wl ~ [K-H] - 2' 



dim///(p) 

again by equation ([T]). Observe, then, that Ik{p) QJh{p) and so 

'dim Ik (p) 



Ep 



dim///(p) 



>Pr[/^(p)=/^(p)]. 



Then 

Vr[lK{p)^lH{p)] = l-Fr[lK{p)=lH{p)] > 1/2. 

When Ik{p) Ih{p), the vector v chosen by Alice has probability no more than 1/g to be in /^^ (p). Then 
p(3;)v / V with constant probability in her choices of p and v. 

Since |Irr(G,F^)| < |G|, the communication complexity of the protocol is at most [log2|G|] +fifmax • 



In light of the complexity guarantee of the protocol above, it is natural to ask how the dimensions of the 
irreducible representations of a finite group G compare over various fields and, especially, how the modular 
case compares to the complex case. When the group algebras involved are semi-simple (as they are in this 
paper due to our insistence that p / there is a tight connection expressed in the following proposition. 
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Proposition 3. Let G be a finite group of exponent m and p be any prime not dividing \G\. Then the relation 
dmax ^ d'^ax^t'dmip) holds, where d^^^ is the maximum dimension of a complex irreducible representation 
of G, dmax is the maximum dimension of an irreducible ¥ p-representation of G, and ord,„{p) is the order of 
p in Z^, the multiplicative group of the integers relatively prime to m. 

Proof. This is a consequence of the "c-d-e triangle" (see IISer77ll ). See Appendix lAl for a brief discussion. 

□ 

As there always exists a prime p of size 0(Iog|G|) that does not divide \G\, we obtain the following 
corollary. 

Corollary 1. R^(MEMBq) = 0(<imax " " loglog |G|), where m denotes the exponent of G and d^^-^ is the 
maximum dimension of a complex irreducible representation ofG. 



5 Algorithms for groups with small C-representations 

We now focus on the case where the dimensions of the irreducible C-representations of G is under control. 
The key idea is to discretize the protocol given in the previous section. To achieve this goal we use the 
concept of an £-net of a sphere. (As our nets will lie in the vector spaces acted upon by the irreps of G, we 
define them as subsets of complex Hilbert spaces.) 

Definition 2. Let V be a finite-dimensional complex Hilbert space. An e-net ofV is a finite family of unit- 
vectors N '^V so that for every unit-length vector w £V, there is a vector n£ N so that |(n, w) p > 1 — 

Proposition 4. For any e > and for any complex Hilbert space V of dimension d, there exists an e-net of 
size at most {A/e)-^. 

Proof. For any dimension d and distance £ > 0, there is a set of points A C S'^'^' of cardinality no more 
than {A/eY with the property that every point of 5"^^' has distance no more than e from some point of A 
(see, e.g., IIMat02[ §3.1]). This yields a set with analogous properties of size no more than (4/5)^'^^^ for the 
complex fif-sphere, which has the same metric as the real 2d — \ sphere. Note that if v and w are two unit 
vectors of V, we may write v = (v,w)w + r with (r,w) = in which case, ||r|| < ||v — w||. The statement of 
the proposition follows. □ 

Our protocol requires the choice of a sufficiently dense £-net for each irreducible representation in 
Irr(G,C). This choice is independent of the inputs of the protocol and so can be done by Alice and Bob 
without communication. The protocol is as follows. 

Protocol COMP-REP(G,e) 

Alice's input: a subgroup H G Mb 
Bob's input: an element j G G 
Bob's output: z g {0, 1}. 

1 Alice and Bob agree on an £-net Np of Vp for each p :G ^ GL(Vp) in Irr(G, C); 

2 Alice chooses a representation p: G ^ GL(Vp) in Irr(G,C) with probability '^^'"^P^ ; 

3 Alice chooses a random (according to Haar measure) unit length vector y ^lu{p) ^ Vp ; 

4 Alice sends Bob the name of p and the closest vector n in Np to the vector v; 

5 If |1 - (p(3;)(n),n)| < 2£, then Bob outputs 1; 
Otherwise |1 — (p(j)(n),n)| > 2£, and Bob outputs 0. 
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Observe that by equation ([Hi, the weights at Step 2 do indeed determine a probabiUty distribution on 
Irr(G,C). Ideally, at Step 3, Alice would communicate v to Bob: Bob could then check if p{y){y) = v 
and, if so, would figure that y £ H. If p{y){\) 7^ v. Bob would be sure that y ^ H, since Ih{p) is precisely 
the fixed space of H. The proof below shows that by sending a sufficiently close approximation to v. Bob 
can still answer confidently. 

The following theorem states the correctness and the communication complexity of this protocol. 

Theorem 3. There exists a choice of Eq such that Protocol COMP-REP(G,£g) computes MEMBq with 
perfect completeness and constant soundness error by communicating 0{d^^y^ -loglGj) bits, where d^^^^ 
denotes the maximum dimension of an irreducible C-representation ofG. 

Proof. As the name of the representation p can be encoded using [log2 |G|] bits, the communication com- 
plexity of the protocol will be dominated by the number of bits necessary to encode the vector n. We will 
show that a choice £ = £g = ^1(1/ (jGppoly log |G|)) suffices to achieve perfect completeness and constant 
soundness. According to Proposition IH such an £-net can be indexed with 0{dp log \G\) bits. This gives our 
upper bound. 

We proceed with the analysis of the completeness and soundness of the protocol. 

Completeness Observe that if y £ H, then the vector v chosen by Alice in the protocol is fixed by p{y). 
Recall that Alice sends Bob a vector n for which | (n, v)p > 1 — £^; writing 



(where (r, v) = 0) we have 
and ||r|| < e. Considering that 



n = (n,v)v + r 

l = (ii,ii) = |(ii,v)|2 + (r,r) 
(P(j)n,n) = |(ii,v)p + (p(3;)r,n) 



we conclude that 

1 1 - (p {y)n, n) | = 1 1 - | (n, v) 1 2 _ (p (3;)r, n) | < ( 1 - | (n, v) 1 2) + | (p (3.)r, n) | < + \ (p (3;)r, n) | . 
Recall that p{y) is unitary, so that ||p(3')r|| = ||r||. Then, by the Cauchy-Schwarz inequality, 

|1 - (p(3;)n,n)| < £^ + ||r|| < e^ + e. 

As £ < 1, we have + s <2e and it follows that the protocol has perfect completeness. 

Soundness We wish to show that for sufficiently small £ (= 1 /poly |G|), the protocol has constant soundness. 
Assume that y ^ H and let K = {H,y), the smallest subgroup containing H and y. Our goal will be to show 
that with constant probability {\,p{y)\) is far from 1, in which case the same can be said of n so long as £ 
is sufficiently small. 
From equation (Q, 



dim/g(p) 
dim///(p) 



^ |//|(ipdim//f(p) _ |//| _ 1 ^1 



Then, with constant probability, the subspace of Ih{p) fixed by y has dimension no more than 2/3 • 
dim///(p). We may write the vector v € ///(p) as v = Vy + v', where € Ik{p) and v' E [//^(p)]^, the space 
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perpendicular to Ik{p)- We then have p{y)yy = Vy and Vy G Ik[p) C Ih{p)- Now, as v is chosen uniformly 
on the unit sphere in Vp, we have Ev[||vj,|p] = dimZ/f (p)/dim///(p) and the probability 

P''p,v[||v'|P > 1/6] is lower bounded by a constanto We wish to conclude that, conditioned on the event 
||v'|p > 1/6, the value 

{y'.p{y)y') 

||v'|p 

cannot be too close to 1. We will show, in fact, that the real part is appropriately bounded below 1. 

Consider the restriction of the representation p :G GL(Vp) chosen by Alice to the subgroup K: specif- 
ically, we may decompose Vp as an orthogonal direct sum of A'-invariant subspaces: 

i 

where each a,- is in Irr(i^,C) (but copies of the same irrep may appear several times in the direct sum). In 
this decomposition, Vy is precisely the projection of v into the subspace 0,-. Wfj, corresponding to the 
copies of the trivial representation; v', on the other hand, lies solely in 0/. 5.^1 Wcj,- As both v and Vy lie 
in Ih{p), the difference v' does as well and the projection of v' into each Wfy, is //-invariant (that is, lies in 
///(a,)). With this in mind, we shall upper bound 

^{y',Piyy) 

by controlling 

, A 9?(w,a(y)w) 

Ay = max max — — 

(T^i we/H(f7) llwll-^ 

taken over all nontrivial irreps a of K and all //-invariant vectors w in Wa. In particular, writing v' = 
Li: 0,/i V- (with each v- lying in W^,), we have ||v'|p = Zi-. a,^i \ and 

^{V,p{y)y')= £ 9^(v:,p(y)v:) < £ Xy\\Vf = l,,\\V f . 

Observe that if A is a set of generators for H and w is an //-invariant vector of Wa, 

(w,a(y)w) = {w,a{y)SAVf) 

where Sa = S^ = jxi^aeA Then 

Ay < max max — . 

fT^i weWn ||w|p 

(Note that the vector w is not constrained to be //-invariant in this expression.) If we choose A to be a 
symmetric generating set (so that a £ A <^ a^^ G A) then Sa is self-adjoint and a{y) is unitary so that 

max max 9?(w, a(3')5Aw) = max max ^ {w,o{y)SAyv) + {w,SAO{y^^)w) 
(j^i ||w||=i CT^i ||w||=i 2 L 



^Of course, when dim/;5-(Vp) < 2/3dim///(Vp), the random variable ||v'||^ possesses much stronger concentration around the 
expected value than this. 
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As the operator G{y)SA +SA<y{y ^ is Hermitian, we have 



o{y)SA+SAO{y 



-1^ 



max max 9?(w, a(y)5'Aw) < max 

(T^l ||w|| = l CT^l 

where || • || denotes the operator norm. 

In order to control this operator norm, observe that the linear operator (1/2) [a{y)SA + SA(y{y^^] 
precisely given by the left action of the group algebra element 



[A,y] 



1 



2\A\ 



aeA 



aeA 



£C[K] 



IS 



(3) 



on the invariant subspace of C[K] corresponding to the representation a. Alternatively, we may consider 
the Cayley graph on the group K given by the symmetric generating (multi-)set yAUAy^^. The (normalized) 
adjacency matrix of this Cayley graph is identical to the regular representation evaluated at the group algebra 
element ^ above. As yAUAy^^ is a (symmetric) generating set for K, the operator norm of (7([A,y]) is 
bounded below 1 for each nontrivial a (see, e.g., IIHLW06II ). In order to conclude the proof, we require 
explicit bounds on this spectral gap. 

A result of Erdos and Renyi IIER65II asserts that we may select a set of generators A for H of size 
0(log \H\) so that the diameter of the resulting Cayley graph (generated by A over H) is 0(log \H\). Con- 
sidering that the diameter of A (as generators for H) is 0(log \H\), it is easy to see that the set yAUAy^^ 
induces a Cayley graph on K of diameter no more than 0{[K : H] log \H\). 

Now we may invoke a theorem of Babai l|Bab91|| asserting that the second eigenvalue of any (undirected) 
Cayley graph with degree d and diameter A is no more than d — Q.{l/A^). (If we normalize the adjacency 
matrix by degree, the second eigenvalue is no more than 1 - /{dA^)).) We conclude that 



l|v II f^^i 



o{y)SA+SAO{y 



-1^ 



< 



1-Q.I - 



1 



\[K:H]^log^ \H\ 



and, considering that ||v'|| > 1/6, that 



9^(v,p(y)v)<||vyr + 



2 , 9?(v',p(y)v') 



,/l|2 



i/l|2 



[K : H^log^ \H\ 



Finally, Alice's n can be written n = v + r with ||r|| < £, in which case 

1 



Kii,p(3;)n)| <l-a 



[K : H]nog^ \H\ 



+ 3£ < 1 - 2e, 



for £ = D.{[K : //] log \H\); thus the protocol is sound. 



□ 



In particular. Theorem [3] shows that, over groups for which d^^^ is constant, the subgroup membership 
problem can be solved using 0(log |G|)-bit communication. There is a very beautiful characterization of 
such groups: a family of groups has representations of bounded degree if and only each group of the family 
has an abelian subgroups of constant index [iGlu85il . We thus obtain the following corollary. 

Corollary 2. Let G be a family of groups each possessing an abelian subgroup of constant index. Then 
R\MEMBG) = 0{\og\G\). 
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A Remarks on the relationship between C and representations 

Let G be a finite group of exponent m (so m is the smallest integer for which g"^ = 1 for all g e G). We 
outline a technique for reducing C-representations of G to Fp-representations in a manner that preserves 
irreducibility. For a complete account, see [Ser77|. By a difficult theorem of Brauer (see, e.g., iCR06il ). one 
may always realize a C-irrep over the field Q[(^m] where (^,„ is a principal /nth root of unity. (It is natural to 
guess that this might be true, as all eigenvalues of a representation of G are mth roots of unity.) Let 
be the ring of algebraic integers in Q[(^m] (it so happens that in this cyclotomic case Z[(^,„] is indeed the ring 
of algebraic integers). Let p > 2 be a prime, and let *p = Z[(^„,] (;?)); this is a prime ideal of lying 
over p in the sense that *pnZ = {p). Now, if only the representation could be realized over Z[(^„,], we 
could simply reduce mod *p and obtain a representation over an extension of Fp. However, this is either not 
always true or just not known to be true by the authors. To fix the problem, one first localizes at *P; that 
is, we consider the ring Z[(^„,]ip of all fractions with the property that the denominator lies outside *P; this 
is a principal ideal domain with a single prime (and maximal) ideal In this case, the representation can 
be realized over Z[(^m]?p> as this PID generates the whole field as its field of fractions (see IICR061 §73.6]). 
Now we can reduce mod the result is a matrix realization over the field Z[(^„,]ip/*P; it is easy to check 
that this is an extension of the field Fp = 'Ljiji). Furthermore, the dimension of this extension field is 
the multiplicative order of p modulo m (the same as the extension of the splitting field of the polynomial 
X"' — 1 over Fp). This immediately gives rise to a representation over the field F^ with q = p™'^"<P < 
We remark that this process preserves irreducibility, and induces a complete decomposition of Fp [G] into 
irreducible representations. 
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